source: trunk/third/bind/FAQ @ 21744

Revision 21744, 15.6 KB checked in by ghudson, 20 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r21743, which included commits to RCS files with non-trunk default branches.
Line 
1
2
3
4Frequently Asked Questions about BIND 9
5
6
7Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
8
9A: Linux threads do not fully implement the Posix threads (pthreads) standard.
10In particular, setuid() operates only on the current thread, not the full
11process.  Because of this limitation, BIND 9 cannot use setuid() on Linux as it
12can on all other supported platforms.  setuid() cannot be called before
13creating threads, since the server does not start listening on reserved ports
14until after threads have started.
15
16  In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
17capabilities across a setuid() call is present.  This allows BIND 9 to call
18setuid() early, while retaining the ability to bind reserved ports.  This is
19a Linux-specific hack.
20
21  On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
22of a security risk than a root process that has not dropped privileges.
23
24  If Linux threads ever work correctly, this restriction will go away.
25
26  Configuring BIND9 with the --disable-threads option (the default) causes a
27non-threaded version to be built, which will allow -u to be used.
28
29
30Q: Why does named log the warning message "no TTL specified - using SOA
31MINTTL instead"?
32
33A: Your zone file is illegal according to RFC1035.  It must either
34have a line like
35
36   $TTL 86400
37
38at the beginning, or the first record in it must have a TTL field,
39like the "84600" in this example:
40
41   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
42
43Q: Why do I see 5 (or more) copies of named on Linux?
44
45A: Linux threads each show up as a process under ps.  The approximate
46number of threads running is n+4, where n is the number of CPUs.  Note that
47the amount of memory used is not cumulative; if each process is using 10M of
48memory, only a total of 10M is used.
49
50
51Q: Why does BIND 9 log "permission denied" errors accessing its
52configuration files or zones on my Linux system even though it is running
53as root?
54
55A: On Linux, BIND 9 drops most of its root privileges on startup.
56This including the privilege to open files owned by other users.
57Therefore, if the server is running as root, the configuration files
58and zone files should also be owned by root.
59
60
61Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
62bar: ran out of space"
63
64A: This is often caused by TXT records with missing close quotes.  Check that
65all TXT records containing quoted strings have both open and close quotes.
66
67
68Q: How do I produce a usable core file from a multithreaded named on Linux?
69
70A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps
71are usable (that is, the correct thread is dumped).  Otherwise, if using
72a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch
73and rebuild the kernel.  This patch will cause multithreaded programs to dump
74the correct thread.
75
76
77Q: How do I restrict people from looking up the server version?
78
79A: Put a "version" option containing something other than the real
80version in the "options" section of named.conf.  Note doing this will
81not prevent attacks and may impede people trying to diagnose problems
82with your server.  Also it is possible to "fingerprint" nameservers to
83determine their version.
84
85
86Q: How do I restrict only remote users from looking up the server
87version?
88
89A: The following view statement will intercept lookups as the internal
90view that holds the version information will be matched last.  The
91caveats of the previous answer still apply, of course.
92
93  view "chaos" chaos {
94          match-clients { <those to be refused>; };
95          allow-query { none; };
96          zone "." {
97                  type hint;
98                  file "/dev/null";  // or any empty file
99          };
100  };
101
102
103Q: What do "no source of entropy found" or "could not open entropy source foo"
104mean?
105
106A: The server requires a source of entropy to perform certain operations,
107mostly DNSSEC related.  These messages indicate that you have no source
108of entropy.  On systems with /dev/random or an equivalent, it is used by
109default.  A source of entropy can also be defined using the random-device
110option in named.conf.
111
112
113Q: I installed BIND 9 and restarted named, but it's still BIND 8.  Why?
114
115A: BIND 9 is installed under /usr/local by default.  BIND 8 is often
116installed under /usr.  Check that the correct named is running.
117
118
119Q: I'm trying to use TSIG to authenticate dynamic updates or zone
120transfers.  I'm sure I have the keys set up correctly, but the server
121is rejecting the TSIG.  Why?
122
123A: This may be a clock skew problem.  Check that the the clocks on
124the client and server are properly synchronized (e.g., using ntp).
125
126
127Q: I'm trying to compile BIND 9, and "make" is failing due to files not
128being found.  Why?
129
130A: Using a parallel or distributed "make" to build BIND 9 is not
131supported, and doesn't work.  If you are using one of these, use
132normal make or gmake instead.
133
134
135Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is
136logging error messages like "notify to 10.0.0.1#53 failed: unexpected
137end of input".  What's wrong?
138
139A: This error message is caused by a known bug in BIND 8.2.3 and is fixed
140in BIND 8.2.4.  It can be safely ignored - the notify has been acted on by
141the slave despite the error message.
142
143
144Q: I keep getting log messages like the following.  Why?
145
146   Dec  4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
147   update failed: 'RRset exists (value dependent)' prerequisite not
148   satisfied (NXRRSET)
149
150A: DNS updates allow the update request to test to see if certain
151conditions are met prior to proceeding with the update.  The message
152above is saying that conditions were not met and the update is not
153proceeding.  See doc/rfc/rfc2136.txt for more details on prerequisites.
154
155
156Q: I keep getting log messages like the following.  Why?
157
158   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
159
160A: Someone is trying to update your DNS data using the RFC2136 Dynamic
161Update protocol.  Windows 2000 machines have a habit of sending dynamic
162update requests to DNS servers without being specifically configured to
163do so.  If the update requests are coming from a Windows 2000 machine,
164see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
165for information about how to turn them off.
166
167
168Q: I see a log message like the following.  Why?
169
170   couldn't open pid file '/var/run/named.pid': Permission denied
171
172A: You are most likely running named as a non-root user, and that user
173does not have permission to write in /var/run.  The common ways of
174fixing this are to create a /var/run/named directory owned by the named
175user and set pid-file to "/var/run/named/named.pid", or set
176pid-file to "named.pid", which will put the file in the directory
177specified by the directory option (which, in this case, must be writable
178by the named user).
179
180
181Q: When I do a "dig . ns", many of the A records for the root
182servers are missing.  Why?
183
184A: This is normal and harmless.  It is a somewhat confusing side effect
185of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
186makes to avoid promoting glue into answers.
187
188When BIND 9 first starts up and primes its cache, it receives the root
189server addresses as additional data in an authoritative response from
190a root server, and these records are eligible for inclusion as
191additional data in responses.  Subsequently it receives a subset of
192the root server addresses as additional data in a non-authoritative
193(referral) response from a root server.  This causes the addresses to
194now be considered non-authoritative (glue) data, which is not eligible
195for inclusion in responses.
196
197The server does have a complete set of root server addresses cached
198at all times, it just may not include all of them as additional data,
199depending on whether they were last received as answers or as glue.
200You can always look up the addresses with explicit queries like
201"dig a.root-servers.net A".
202
203
204Q: Zone transfers from my BIND 9 master to my Windows 2000 slave
205fail.  Why?
206
207A: This may be caused by a bug in the Windows 2000 DNS server where
208DNS messages larger than 16K are not handled properly.  This can be
209worked around by setting the option "transfer-format one-answer;".
210Also check whether your zone contains domain names with embedded
211spaces or other special characters, like "John\032Doe\213s\032Computer",
212since such names have been known to cause Windows 2000 slaves to
213incorrectly reject the zone.
214
215
216Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
217
218A: A zone can be updated either by editing zone files and reloading
219the server or by dynamic update, but not both.  If you have enabled
220dynamic update for a zone using the "allow-update" option, you are not
221supposed to edit the zone file by hand, and the server will not
222attempt to reload it.
223
224
225Q: I can query the nameserver from the nameserver but not from other
226machines.  Why?
227
228A: This is usually the result of the firewall configuration stopping
229the queries and / or the replies.
230
231
232Q: How can I make a server a slave for both an internal and
233an external view at the same time?  When I tried, both views
234on the slave were transferred from the same view on the master.
235
236A: You will need to give the master and slave multiple IP addresses and
237use those to make sure you reach the correct view on the other machine.
238
239        e.g.
240        Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
241            internal:
242                match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
243                notify-source 10.0.1.1;
244                transfer-source 10.0.1.1;
245                query-source address 10.0.1.1;
246            external:
247                match-clients { any; };
248                recursion no;   // don't offer recursion to the world
249                notify-source 10.0.1.2;
250                transfer-source 10.0.1.2;
251                query-source address 10.0.1.2;
252
253        Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
254            internal:
255                match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
256                notify-source 10.0.1.3;
257                transfer-source 10.0.1.3;
258                query-source address 10.0.1.3;
259            external:
260                match-clients { any; };
261                recursion no;   // don't offer recursion to the world
262                notify-source 10.0.1.4;
263                transfer-source 10.0.1.4;
264                query-source address 10.0.1.4;
265
266        You put the external address on the alias so that all the other
267        dns clients on these boxes see the internal view by default.
268
269A: (BIND 9.3 and later) Use TSIG to select the appropriate view.
270
271        Master 10.0.1.1:
272        key "external" {
273                algorithm hmac-md5;
274                secret "xxxxxxxx";
275        };
276        view "internal" {
277                match-clients { !key external; 10.0.1/24; };
278                ...
279        };
280        view "external" {
281                match-clients { key external; any; };
282                server 10.0.0.2 { keys external; };
283                recursion no;
284                ...
285        };
286
287        Slave 10.0.1.2:
288        key "external" {
289                 algorithm hmac-md5;
290                 secret "xxxxxxxx";
291        };
292        view "internal" {
293                match-clients { !key external; 10.0.1/24; };
294        };
295        view "external" {
296                match-clients { key external; any; };
297                server 10.0.0.1 { keys external; };
298                recursion no;
299                ...
300        };
301
302
303Q: I have Freebsd 4.x and "rndc-confgen -a" just sits there.
304
305A: /dev/random is not configured.  Use rndcontrol(8) to tell the kernel
306to use certain interrupts as a source of random events.  You can make this
307permanent by setting rand_irqs in /etc/rc.conf.
308
309e.g.
310        /etc/rc.conf
311        rand_irqs="3 14 15"
312
313See also http://people.freebsd.org/~dougb/randomness.html
314
315
316Q: Why is named listening on UDP port other than 53?
317
318A: Named uses a system selected port to make queries of other nameservers.
319This behaviour can be overridden by using query-source to lock down the
320port and/or address.  See also notify-source and transfer-source.
321
322
323Q: I get error messages like "multiple RRs of singleton type" and
324"CNAME and other data" when transferring a zone.  What does this mean?
325
326A: These indicate a malformed master zone.  You can identify the
327exact records involved by transferring the zone using dig then
328running named-checkzone on it.
329
330        e.g.
331                dig axfr example.com @master-server > tmp
332                named-checkzone example.com tmp
333
334
335Q: I get error messages like "named.conf:99: unexpected end of input" where
33699 is the last line of named.conf.
337
338A: Some text editors (notepad and wordpad) fail to put a line termination
339indication (e.g. CR/LF) on the last line of a text file.  This can be fixed
340by "adding" a blank line to the end of the file.  Named expects to see EOF
341immediately after EOL and treats text files where this is not met as truncated.
342
343
344Q: I get warning messages like "zone example.com/IN: refresh: failure trying master
3451.2.3.4#53: timed out".
346
347A: Check that you can make UDP queries from the slave to the master
348
349        dig +norec example.com soa @1.2.3.4
350
351A: You could be generating queries faster than the slave can cope with.  Lower
352the serial query rate.
353
354        serial-query-rate 5; // default 20
355
356Q: How do I share a dynamic zone between multiple views?
357
358A: You choose one view to be master and the second a slave and transfer
359the zone between views.
360
361        Master 10.0.1.1:
362        key "external" {
363                algorithm hmac-md5;
364                secret "xxxxxxxx";
365        };
366
367        key "mykey" {
368                algorithm hmac-md5;
369                secret "yyyyyyyy";
370        };
371
372        view "internal" {
373                match-clients { !external; 10.0.1/24; };
374                server 10.0.1.1 {
375                        /* Deliver notify messages to external view. */
376                        keys { external; };
377                };
378                zone "example.com" {
379                        type master;
380                        file "internal/example.db";
381                        allow-update { key mykey; };
382                        notify-also { 10.0.1.1; };
383                };
384        };
385
386        view "external" {
387                match-clients { external; any; };
388                zone "example.com" {
389                        type slave;
390                        file "external/example.db";
391                        masters { 10.0.1.1; };
392                        transfer-source { 10.0.1.1; };
393                        // allow-update-forwarding { any; };
394                        // allow-notify { ... };
395                };
396        };
397
398Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
399file primaries/wireless.ietf56.ietf.org: no owner".
400
401A: This error is produced when a line in the master file contains leading
402white space (tab/space) but the is no current record owner name to inherit
403the name from.  Usually this is the result of putting white space before
404a comment.  Forgeting the "@" for the SOA record or indenting the master
405file.
406
407
408Q: Why are my logs in GMT (UTC).
409
410A: You are running chrooted (-t) and have not supplied local timzone
411information in the chroot area.
412
413        FreeBSD: /etc/localtime
414        Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
415        OSF: /etc/zoneinfo/localtime
416
417        See also tzset(3) and zic(8).
418
419
420Q: I get the error message "named: capset failed: Operation not permitted"
421when starting named.
422
423A: The capset module has not been loaded into the kernel.  See insmod(8).
424
425
426Q: I get "rndc: connect failed: connection refused" when I try to run
427   rndc.
428
429A: This is usually a configuration error.
430
431   First ensure that named is running and no errors are being
432   reported at startup (/var/log/messages or equivalent).  Running
433   "named -g <usual arguements>" from a terminal can help at this
434   point.
435
436   Secondly ensure that named is configured to use rndc either by
437   "rndc-confgen -a", rndc-confgen or manually.  The Administators
438   Reference manual has details on how to do this.
439
440   Old versions of rndc-confgen used localhost rather than 127.0.0.1
441   in /etc/rndc.conf for the default server.  Update /etc/rndc.conf
442   if necessary so that the default server listed in /etc/rndc.conf
443   matches the addresses used in named.conf.  "localhost" has two
444   address (127.0.0.1 and ::1).
445
446   If you use "rndc-confgen -a" and named is running with -t or -u
447   ensure that /etc/rndc.conf has the correct ownership and that
448   a copy is in the chroot area.  You can do this by re-running
449   "rndc-confgen -a" with appropriate -t and -u arguements.
450
451
452Q: I don't get RRSIG's returned when I use "dig +dnssec".
453
454A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
455
456
457Q: I get "Error 1067" when starting named under Windows.
458
459A: This is the service manager saying that named exited.   You need to
460   examine the Application log in the EventViewer to find out why.
461
462   Common causes are that you failed to create "named.conf" (usually
463   "C:\windows\dns\etc\named.conf") or failed to specify the directory
464   in named.conf.
465
466        options {
467                Directory "C:\windows\dns\etc";
468        };
469
470
Note: See TracBrowser for help on using the repository browser.